A Structured Approach To Enterprise Risk Management (ERM .
A structured approach toEnterprise Risk Management (ERM)and the requirements of ISO 31000
ContentsExecutive summar yIntroductionAcknowledgementsPart 1: Risk, risk management and ISO 310001Nature and impact of risk2Principles of risk management3Review of ISO 310004Achieving the benefits of ERMPart 2: Enterprise risk management5Planning and designing6Implementing and benchmarking7Measuring and monitoring8Learning and reportingAppendicesARisk management checklistBImplementation summaryList of figures1Risk architecture, strategy and protocols2Framework for managing risk (based on ISO 31000)3Risk management process (based on ISO 31000)4Risk architecture of a large PLC5Drivers of risk managementList of tables11Detailed risk description2Contents of risk management policy3Risk management responsibilities4Risk assessment techniques AIRMIC, Alarm, IRM: 2010
Executive summar yRisk management is an increasingly importantbusiness driver and stakeholders have becomemuch more concerned about risk. Risk may be adriver of strategic decisions, it may be a cause ofuncertainty in the organisation or it may simply beembedded in the activities of the organisation. Anenterprise-wide approach to risk managementenables an organisation to consider the potentialimpact of all types of risks on all processes,activities, stakeholders, products and services.Implementing a comprehensive approach willresult in an organisation benefiting from what isoften referred to as the ‘upside of risk’.The global financial crisis in 2008 demonstratedthe importance of adequate risk management.Since that time, new risk management standardshave been published, including the internationalstandard, ISO 31000 ‘Risk management –Principles and guidelines’. This guide drawstogether these developments to provide astructured approach to implementing enterpriserisk management (ERM).Purpose of this guideA successful enterprise risk management (ERM)initiative can affect the likelihood andconsequences of risks materialising, as well asdeliver benefits related to better informed strategicdecisions, successful delivery of change andincreased operational efficiency. Other benefitsinclude reduced cost of capital, more accuratefinancial reporting, competitive advantage,improved perception of the organisation, bettermarketplace presence and, in the case of publicservice organisations, enhanced political andcommunity support.This guide provides a brief commentary on ISO31000 as well as setting out advice on theimplementation of an ERM initiative. The purposeof the guide is to: describe the principles and processes ofrisk management provide a brief overview of therequirements of ISO 31000 give practical guidance on designing asuitable framework give practical advice on implementingenterprise risk managementIntended benefits of risk managementFor all types of organisations, there is a need tounderstand the risks being taken when seeking toachieve objectives and attain the desired level ofreward. Organisations need to understand theoverall level of risk embedded within theirprocesses and activities. It is important fororganisations to recognise and prioritise significantrisks and identify the weakest critical controls.When setting out to improve risk managementperformance, the expected benefits of the riskmanagement initiative should be established inadvance. The outputs from successful riskmanagement include compliance, assurance andenhanced decision-making. These outputs willprovide benefits by way of improvements in theefficiency of operations, effectiveness of tactics(change projects) and the efficacy of the strategyof the organisation.2A structured approach to Enterprise Risk Management
IntroductionThis guide is the result of work by a team drawnfrom the main risk management organisations inthe UK – the Association of Insurance and RiskManagers (AIRMIC), the public sector riskmanagement association (Alarm) and the Instituteof Risk Management (IRM). The guide is intendedto be applicable to all types of organisations.Throughout the guide, the word Board is used tosignify the decision-making body within anorganisation. In the public sector, this body maybe referred to as the Council, Executive orAuthority.COSO ERM framework and ISO 31000The Committee of Sponsoring Organizations ofthe Treadway Commission (COSO) published anEnterprise Risk Management (ERM) standard in2004. The COSO ERM cube is well known to riskmanagement practitioners and it provides aframework for undertaking ERM. It has gainedconsiderable influence because it is linked to theSarbanes-Oxley requirements for companies listedin the United States. ISO 31000 was published in2009 as an internationally agreed standard for theimplementation of risk management principles.There are many opinions regarding what riskmanagement involves, how it should beimplemented and what it can achieve.International Organisation for Standardisation (ISO)standard 31000 was published in 2009 and seeksto answer these questions. This guide includes abrief commentary on ISO 31000, as well asproviding further information on the successfulimplementation of risk management. Importantly,this guide recognises that risk has both an upsideand downside.This guide provides a structured approach toimplementing risk management on an enterprisewide basis that is compatible with both COSOERM and ISO 31000. However, the guide placesmore emphasis on ISO 31000 because it is aninternational standard and many organisationshave international operations. At the same time aspublishing ISO 31000, ISO also produced Guide73 ‘Risk management – Vocabulary – Guidelinesfor use in standards’.Risk management principlesAcknowledgementsRisk management is a process that is underpinned by a set of principles. Also, it needs to besupported by a structure that is appropriate to theorganisation and its external environment orcontext. A successful risk management initiativeshould be proportionate to the level of risk in theorganisation (as related to the size, nature andcomplexity of the organisation), aligned with othercorporate activities, comprehensive in its scope,embedded into routine activities and dynamic bybeing responsive to changing circumstances.This approach will enable a risk managementinitiative to deliver outputs, including compliancewith applicable governance requirements,assurance to stakeholders regarding themanagement of risk and improved decisionmaking. The impact or benefits associated withthese outputs include more efficient operations,effective tactics and efficacious strategy. Thesebenefits need to be measurable and sustainable.Appendix A provides a checklist of actions thatshould be completed in order to fully satisfy riskmanagement requirements.3Permission to reproduce extracts from ISO 31000‘Risk management – Code of practice’ is grantedby the BSI. British Standards can be obtained inPDF or hard copy formats from the BSI onlineshop: www.bsigroup.com/shop or by contactingBSI Customer Services for hardcopies only: Tel: 44 (0)20 8996 9001, e-mail:cservices@bsigroup.comFigure 1, Figure 4, Table 2, Table 3 and Table 4 arereproduced with kind permission of Kogan PageLimited from “Fundamentals of Risk Management”(2010) ISBN 978 0 7494 5942 0www.koganpage.comA structured approach to Enterprise Risk Management
Part 1: Risk, risk management and ISO 31000Part 1 provides an overview of risk and riskmanagement with particular reference to ISO31000. The terminology used to describe thesteps in the risk management process is notconsistent and this part reflects on thesedifficulties. A summary of the risk managementrequirements that should be in place in order toensure good standards of risk governance arepresented by way of a checklist in Appendix A.1. Nature and impact of riskRisks can impact an organisation in the short,medium and long term. These risks are related tooperations, tactics and strategy, respectively.Strategy sets out the long-term aims of theorganisation, and the strategic planning horizonfor an organisation will typically be 3, 5 or moreyears. Tactics define how an organisation intendsto achieve change. Therefore, tactical risks aretypically associated with projects, mergers,acquisitions and product developments.Operations are the routine activities of theorganisation.Definition of riskThere are many definitions of risk and riskmanagement. The definition set out in ISO Guide73 is that risk is the “effect of uncertainty onobjectives”. In order to assist with the applicationof this definition, Guide 73 also states that aneffect may be positive, negative or a deviationfrom the expected, and that risk is often describedby an event, a change in circumstances or aconsequence.This definition links risks to objectives. Therefore,this definition of risk can most easily be appliedwhen the objectives of the organisation arecomprehensive and fully stated. Even when fullystated, the objectives themselves need to bechallenged and the assumptions on which theyare based should be tested, as part of the riskmanagement process.For example, consider the infrastructure of an organisation and the implementation of a new ITsystem. The choice of hardware and software are strategic decisions. If these choices areincorrect, the consequences will not be obvious for some time. The associated risks are strategicrisks and these risks will be taken with the intention of achieving benefits. Correct strategicdecisions deliver benefits that result in achievement of the upside of risk.The project to install the new hardware and software will be a change initiative that represents thetactics by which strategy will be implemented. Risks within the project need to be managed, sothat the project is delivered on time, within budget and to specification. Again, it is possible toachieve an upside in the execution of the project, whereby the project is delivered early and belowbudget. It is also possible that the IT hardware and software will deliver greater benefits thananticipated.Once the new hardware and software has been installed, the system will be vulnerable tooperational risks, including computer breakdown, loss of data, virus attacks and operator errors.These operational risks may be very significant, and correct procedures will need to be designedand implemented to minimise potential disruption.4A structured approach to Enterprise Risk Management
Recording risk assessmentsRisk assessment involves the identification of risksfollowed by their evaluation or ranking. It isimportant to have a template for recordingappropriate information about each risk. Table 1shows the range of information that may need tobe recorded. The objective of a template is toenable the information to be recorded in a table,risk register, spreadsheet or a computer-basedsystem. Although a simple description of a risk issometimes sufficient, there are circumstanceswhere a detailed risk description may be requiredin order to facilitate a comprehensive riskassessment process.The consequences of a risk materialising may benegative (hazard risks), positive (opportunity risks)or may result in greater uncertainty. Organisationsneed to establish appropriate definitions for thedifferent levels of likelihood and consequencesassociated with these different risks. Risk rankingcan be quantitative, semi-quantitative or qualitativein terms of the likelihood of occurrence and thepossible consequences or impact.Organisations will need to define their ownmeasures of likelihood of occurrence andconsequences.For example, many organisations find thatassessing likelihood and consequences as high,medium or low, with the results presented on a 3 x3 risk matrix is adequate. Other organisations findthat more options are necessary and a 4 x 4 or 5 x5 risk matrix is required. By considering thelikelihood and consequences of each risk, it will bepossible to prioritise or rank the key risks forfurther analysis.Risk classification systemsAn important part of analysing a risk is todetermine the nature, source or type of impact ofthe risk. Evaluation of risks in this way may beenhanced by the use of a risk classificationsystem. Risk classification systems are importantbecause they enable an organisation to identifyaccumulations of similar risks. A risk classificationsystem will also enable an organisation to identifywhich strategies, tactics and operations are mostvulnerable.Risk classification systems are usually based onthe division of risks into those related to financialcontrol, operational efficiency, reputationalexposure and commercial activities. However,there is no risk classification system that isuniversally applicable to all types of organisations.Table 1: Detailed risk description1Name or title of risk Unique identifier or risk index2Scope of risk Scope of risk and details of possible events, including description ofthe events, their size, type and number3Nature of risk Classification of risk, timescale of potential impact and descriptionas hazard, opportunity or uncertainty4Stakeholders Stakeholders, both internal and external, and their expectations5Risk evaluation Likelihood and magnitude of event and possible impact orconsequences should the risk materialise at current level6Loss experience Previous incidents and prior loss experience of events related to therisk7Risk tolerance, appetiteor attitude Loss potential and anticipated financial impact of the riskTarget for control of risk and desired level of performanceRisk attitude, appetite, tolerance or limits for the risk 8Risk response, treatmentand controls 9Potential for risk improvement 105Strategy and policydevelopments Existing control mechanisms and activitiesLevel of confidence in existing controlsProcedures for monitoring and review of risk performancePotential for cost-effective risk improvement or modificationRecommendations and deadlines for implementationResponsibility for implementing any improvementsResponsibility for developing strategy related to the riskResponsibility for auditing compliance with controlsA structured approach to Enterprise Risk Management
This may be especially true for organisationsoperating in the public sector and those involved inthe delivery of services to the public.There are many risk classification systemsavailable and the one selected will depend on thesize, nature and complexity of the organisation.ISO 31000 does not recommend a specific riskclassification system and each organisation willneed to develop the system most appropriate tothe range of risks that it faces.2: Principles of risk managementRisk management is a central part of the strategicmanagement of any organisation. It is the processwhereby organisations methodically address therisks attached to their activities. A successful riskmanagement initiative should be proportionate tothe level of risk in the organisation, aligned withother corporate activities, comprehensive in itsscope, embedded into routine activities anddynamic by being responsive to changingcircumstances.The focus of risk management is the assessmentof significant risks and the implementation ofsuitable risk responses. The objective is to achievemaximum sustainable value from all the activitiesof the organisation. Risk management enhancesthe understanding of the potential upside anddownside of the factors that can affect anorganisation. It increases the probability ofsuccess and reduces both the probability of failureand the level of uncertainty associated withachieving the objectives of the organisation.Context for risk managementRisk management should be a continuousprocess that supports the development andimplementation of the strategy of an organisation.It should methodically address all the risksassociated with all of the activities of theorganisation. In all types of undertaking, there isthe potential for events that constituteopportunities for benefit (upside), threats tosuccess (downside) or an increased degree ofuncertainty.It is often argued that, for health and safety risks,the consequences can only be negative and themanagement of safety risk should focus onprevention and mitigation of harm. However, foroutsourced service providers, setting goodstandards of health and safety may be part ofwinning contracts and this demonstrates thatthere is an upside to safety risk management.6Risk aware cultureRisk management must be integrated into theculture of the organisation and this will includemandate, leadership and commitment from theBoard. It must translate risk strategy into tacticaland operational objectives, and assign riskmanagement responsibilities throughout theorganisation. It should support accountability,performance measurement and reward, thuspromoting operational efficiency at all levels.Achieving a good risk aware culture is ensured byestablishing an appropriate risk architecture,strategy and protocols.In order to successfully implement, support andsustain the risk management process, a structureis required. ISO 31000 refers to this structure asthe risk management context.Figure 1 illustrates a suitable structure in terms ofthe risk architecture, strategy and protocols, andbriefly describes the key features of each element.This structure is designed to give context to riskmanagement activities and support the riskmanagement process.Risk management processThe risk management process can be presentedas a list of co-ordinated activities. There arealternative descriptions of this process, but thecomponents listed below are usually present. Thislist represents the 7Rs and 4Ts of (hazard) riskmanagement: recognition or identification of risks ranking or evaluation of risks responding to significant risks tolerate treat transfer terminate resourcing controls reaction planning reporting and monitoring risk performance reviewing the risk managementframeworkA structured approach to Enterprise Risk Management
Figure 1: Risk architecture, strategy and protocolsRisk strategyRisk architecture Risk architecture specifies theroles, responsibilities,communication and risk reportingstructure Risk strategy, appetite, attitudesand philosophy are defined in theRisk Management PolicyRisk management processRisk protocols Risk protocols are presented in the form of the risk guidelines for theorganisation and include the rules and procedures, as well as specifying therisk management methodologies, tools and techniques that should be usedRecognition and ranking of risks together form therisk assessment activity. ISO 31000 uses thephrase ‘risk treatment’ to include all of the 4Tsincluded under the heading ‘risk response’. Thescope of risk responses available for hazard risksincludes the options of tolerate, treat, transferor terminate the risk or the activity that gives rise tothe risk. For many risks, these responses maybe applied in combination. For opportunity risks,the range of available options includes exploitingthe risk. Reaction planning includes businesscontinuity planning and disaster recovery planning.3: Review of ISO 31000ISO 31000 describes the components of a riskmanagement implementation framework. Figure 2provides a simplified version of this implementationframework. It includes the essential steps in theimplementation and ongoing support of the riskmanagement process. The initial component ofthe ISO 31000 framework is ‘mandate andcommitment’ by the Board and this is followed by:7 design of framework implement risk management monitor and review framework improve frameworkFramework for managing riskISO 31000 describes a framework forimplementing risk management, rather than aframework for supporting the risk managementprocess. Information on designing the frameworkthat supports the risk management process is notset out in detail in ISO 31000. An organisation willdescribe its framework for supporting riskmanagement by way of the risk architecture,strategy and protocols for the organisation.The risk architecture, strategy and protocolsshown in Figure 1 represent the
4 A structured approach to Enterprise Risk Management Part 1: Risk, risk management and ISO 31000 For example, consider the infrastructure of an organisation and the implementation of a new IT system. The choice of hardware and software are strategic decisions. If these choices are incorrect, the consequences will not be obvious for some time.
work/products (Beading, Candles, Carving, Food Products, Soap, Weaving, etc.) ⃝I understand that if my work contains Indigenous visual representation that it is a reflection of the Indigenous culture of my native region. ⃝To the best of my knowledge, my work/products fall within Craft Council standards and expectations with respect to
Key takeaway: After being educated on the difference between a lump-sum and a structured settlement, 73 percent of Americans would choose a structured settlement payout when they received their settlement in a personal injury case. Chose structured settlement Chose lump sum CHART 4 - REASONS FOR CHOOSING A STRUCTURED SETTLEMENT
Red Hat Enterprise Linux 7 - IBM Power System PPC64LE (Little Endian) Red Hat Enterprise Linux 7 for IBM Power LE Supplementary (RPMs) Red Hat Enterprise Linux 7 for IBM Power LE Optional (RPMs) Red Hat Enterprise Linux 7 for IBM Power LE (RPMs) RHN Tools for Red Hat Enterprise Linux 7 for IBM Power LE (RPMs) Patch for Red Hat Enterprise Linux - User's Guide 1 - Overview 4 .
Enterprise Browser Application And Configuration Version Comparision - From Enterprise Browser 1.8 and above, Enterprise Browser Application and Configuration version comparison is now gets captured at Enterprise Browser log file. [Show Enterprise Browser 1.7 Release Information] [Show Enterprise Browser 1.6 Release Information]
akuntansi musyarakah (sak no 106) Ayat tentang Musyarakah (Q.S. 39; 29) لًََّز ãَ åِاَ óِ îَخظَْ ó Þَْ ë Þٍجُزَِ ß ا äًَّ àَط لًَّجُرَ íَ åَ îظُِ Ûاَش
Collectively make tawbah to Allāh S so that you may acquire falāḥ [of this world and the Hereafter]. (24:31) The one who repents also becomes the beloved of Allāh S, Âَْ Èِﺑاﻮَّﺘﻟاَّﺐُّ ßُِ çﻪَّٰﻠﻟانَّاِ Verily, Allāh S loves those who are most repenting. (2:22
The modern approach is fact based and lays emphasis on the factual study of political phenomenon to arrive at scientific and definite conclusions. The modern approaches include sociological approach, economic approach, psychological approach, quantitative approach, simulation approach, system approach, behavioural approach, Marxian approach etc. 2 Wasby, L Stephen (1972), “Political Science .
The development of tourism in natural areas (adventure tourism, ecotourism, rural tourism, etc.) necessarily raises the question of the environmental protection of these areas. Current status of nature conservation & biodiversity Ecotourism as a way to make tourism based on the desire to discover nature and to respect, preserve and enhance the natural balance and cultural places and local .
